Attn: All DPOs and Data Auditors to be: Join this Arattai Group

DPDPA 2023 which is being notified shortly introduces opportunities for two new professions in India. First is the DPOs and Second is the Data Auditors.

DPOs will be responsible for implementation and maintenance of DPDPA  Compliance within an organization and will be employees.

Data Auditors would be responsible for conducting annual Data Audits and DPIAs  and will be independent consultants. They will not be the same as Statutory financial auditors nor they will be the ISO 27001 or PCI DSS auditors who are around.

While Naavi is developing with FDPPI, necessary Training and Certification for building necessary skills   for further interaction of those who are already qualified either with FDPPI or with other Certification bodies such as DSCI, a group has been created on Arattai platform. This group should not only enable exchange of professional thoughts but also emerge as a group for representing the interests of the community with the Government.

I invite all interested persons to  join the groups here with this link:

DPO Group on Arattai

Data Auditor Group on Arattai

The objective of the two groups are slightly different. While the DPOs do internal data audits, they are employees of an organization. The Data Auditors on the other hand are entrepreneurial in nature and consultants  by profession.

Considering that “Aspiring DPOs” and “Aspiring Data Auditors” also would like to join the group for their self development, we shall keep  the groups open to all and not have any restrictive entry criteria.

I request interested persons to join and also bring in their current community members.

If we can build a single large community, we should be able to develop into a strong force to ensure that the professional interests of these groups are well nurtured.

Naavi

 

Posted in Privacy | Leave a comment

New DPO Program from Naavi and FDPPI

In anticipation of the release of the rules within this weekend as hinted by the secretary of MeitY a two day physical training program is being contemplated in Mumbai on November 1 and 2. The program will be from 10.00 am to 5.00 pm and held in a hotel in Andheri. (Proposed Venue: Treebo Amber International, Sakinaka, Andheri)

The coverage would be

  1. Legal nuances of DPDPA and the DPDPA  Rules
  2. Classification of DPDPA protected Data (DPD)
  3. ROPA as a strategic tool of Compliance
  4. Governance  Structuring for meeting the obligations under DPDPA by a Data Fiduciary
  5. Technical challenges of Management of Legal Basis for processing and Rights of Data  Principal
  6. AI and its challenges in meeting the obligations
  7. The Roles of DPO and Data Auditor in the DPDPA era
  8. Use of DGPSI as a Compliance Management framework
  9. Discussions and case studies

The training would be priced at Rs 15000/- plus GST. (Total Rs 17700/-)Participants would be provided with participation certificates and 12 hours of CPE.

Registration for examination for Certification would be optional.  The fees for examination would be Rs 10000/- plus GST (Total R 11800/-)

The total fees for those who register together would be Rs 25000/-. plus GST. (Total Rs 29500/-)

An early bird discount is provided for registration upto 15th October 2025

  1. Early bird discount for training Rs 3000/- Net fees Rs 12000/- (Rs 14160/0)
  2. Early Bird discount for Examination: Rs 2000/-. Net fees Rs 8000/- (Rs 9440/-)

Net price of  the training with certification exam with early bird discount is Rs 20000/-. (Rs 23,600/-)

The three books namely “Guardians of Privacy…”, “DGPSI, he Perfect  prescription…” and ” Taming the twin risks of DPDPA and AI with DGPSI-AI” would be the reading material. The kindle versions of all three are now available and are recommended for purchase for preparation for the exam which will be open for the batch after November 20th.

Naavi

PS: In the unlikely event of the DPDPA rules not being notified, a free Virtual session would be conducted subsequently to all the participants.

Registration Process :Please visit here

Posted in Privacy | Leave a comment

Logistics Intermediaries should be held liable for fraudulent E Commerce deliveries

Success in E Commerce is a combination of technology, supplier chain, pricing strategy and delivery efficiency.

Amazon undoubtedly is in the forefront of e commerce companies and other competitors are unable to catch up in the breadth of product range and pricing.

Many users see product advertisements on Facebook but often prefer to buy from Amazon the same products which may be available in the manufacturer’s website also.

One of the hidden reasons for which Amazon has succeeded  in getting this customer confidence is that the frauds of wrong products being delivered by vendors is reasonably controlled.

Recently, I had an occassion to dispute a supply on Amazon which was not the product ordered. The product supplier was perhaps not  prepared to take the return. But Amazon without question refunded the money even though the product  was not returned.

No doubt, Amazon might have suffered a small loss in the transaction but the customer confidence they would have gained is worth more than that.

On the other hand I recently ordered a product based  on a Face Book advertisement from a site called Apwety and the order was fulfilled by Delhivery.  (Product was not available on Amazon). The product delivered was different and when I checked, this was the experience of many others (Details).

What this indicates is that the customer is a noted fraudster and Delhivery was supporting the fraudster by being the delivery agent for the fraudulent company.

In terms of legal liability of a fraud of this kind, the responsibility has to be considered as “Shared”. In a situation where the Delivery partner is a bigger entity and the end  fraudster is a relatively unknown company, the possibility of legal liability being claimed from the delivery partner is high. The question that one is the principal and the other is the agent has minimal impact and depends on whether the agent is a disclosed agent or not. Also it is only a matter of investigation if the products were switched by the delivery partner or at the source itself.

Hence when an FIR is filed, it will have to be filed against both the E Commerce operator and the delivery partner with “Joint and several responsibility”.

In the instant case, Apwety and Delhivery are therefore jointly and severally responsible for the fraud. On further enquiry it is found that the details on the MCA website about the company representing Apwety has details of promoters which  the registered promoter claims is incorrect since he has sold  his company to another person. This means that Delhivery has not done proper KYC  on their  vendors at the time of their onboarding.

In a parallel case in a Bank scenario, if a customer whose KYC is improper commits a fraud, the Bank  has to take the liability. This is the principle established first with the S.UMashankar Vs ICICI Bank case which was personally handled by me and thereafter several cases in which decisions have been given by the Adjudicator of IT and TDSAT. (In Umashankar case the judgement was endorsed further by the High Court).

Hence if a complaint is formally launched against Delhivery and the E Commerce partner together, Delhivery would be liable to  fulfill the claim and try to recover it from the vendor.

From my experience with Delhivery, an intelligent guess is that there are perhaps hundreds of  fraudulent transactions and scores  of fraudulent customers that Delhivery is supporting. If a formal investigation is launched, it would cause a serious damage to  the company.

The objective of pointing this out  is not to bring disrepute to the Company but to highlight that many companies like this have no understanding of the Risks they run because of the company they keep.

It is in this context that I observed that Delhivery has 8 independent Directors who are expected to be the experts who provide advise to the company on such matters as against three executive directors who may be taking care of Finance, Technology and HR.

This also opens up a thought whether there is any strategy of the entrepreneurs to have 8 non executive independent directors to three executive directors and whether each of the independent directors represent a specific expertise.

Ideally a company should ensure that each of the independent directors take some informal responsibility of managing one area of operations either to assist revenue increase  or  reduce liabilities which are hidden costs.

In today’s world , there are several legal compliance issues that are hidden liabilities for a company and it requires close monitoring. ITA 2000,DPDPA and AI are three such risks that need close monitoring and it  would be a good strategy for organizations to ensure that specific independent directors are assigned oversight responsibilities  to assist the Compliance officer, DPO and the  AI Governance manager.

Naavi

Posted in Privacy | Leave a comment

Can we break out of the shackles of the Big Tech Control of our Policies?

After the Minister of Railways and IT , Mr Ashwin Vaishnav publicly pleaded the Meity Secretary to confirm the date of release of the final rules related to DPDPA, one thought that there will be no turning back.

But it appears that the department still ignored Mr Vaishnav’s soft directive  to release the  rules by September 28th and prioritized the release of the draft rules on the PROGA 2025 which is anyway going to be delayed through a challenge in the Court.

Assuming that the MeitY is not defying their ministerial head, we can presume that the department is working on how the DPDPA rules can be used to give a strong reply to Mr Trump for his Tariff and H1B Visa attacks on India.

Mr Vaishnav has also encouraged  ZOHO and his simple sentence that  he is shifting to Arattai  has created a big wave in favour of ZOHO. We also understand that CHINA is allowing ZOHO to operate in their country to erode Microsoft further.

But so far, Microsoft, Adobe, Google, Meta and Amazon has controlled all narratives of policy in Indian IT. We have many times the practice of sharing proposed drafts of legislation with these US based Tech companies and heeding to their advice. NASSCOM unfortunately is in the control of these giants and hence this consultation with the industry  often means seeking the permission from them to go ahead with our legislation.

We hope at least now MeitY shows its own commitment to Indigenisation by making “Personal Data Localization” mandatory within the next 6 months. We should also ensure that none of the DPB appointments should be based on the recommendations of Meta/Google/Microsoft. Alternatively Data transfer outside India should be subject to a special tariff.

We should also work for reducing our dependencies on the US IT services and encourage ZOHO, Jio, OLA and other Indian entities to take over the work which Meta, Google, Adobe, Amazon, Uber and Microsoft are doing today.

It is high time we create a new independent ministry on IT and appoint a suitable technocrat to head it.

Naavi

Posted in Privacy | Leave a comment

Draft Rules for PROGA 2025

While all of us were waiting for the Final Rules for DPDPA to be released, Meity came up with “Draft Rules” for public comments related to Promotion and regulation of Online Gaming Act 2025 (PROGA2025).

Details of the notification are available at www.proga2025.in

The public comments can be submitted by 31st October 2025 by email to ogrules.consultation@meity.gov.in

The draft rules can be accessed here: 

Explanatory notes for the rules can be accessed here

The essential aspect of the rules is the formation of a regulatory body with a Chairperson and Five other members. Three members  will represent the ministries of Information and Broadcasting, youth Affairs and Sports and financial services. Out of the other two one would be a person having special knowledge of and experience in law. The regulatory body may take the assistance of experts as may be necessary.

It is proposed that any online  game service provider intending to seek recognition and registration of an online game as an “Online Social Game” or “E Sport” may on his own volition make an application.

The authority may “Suo moto” or on the basis of application made determine whether an online game is an online money game or otherwise. If a service is considered an “Online money game”, the service shall be stopped immediately and further action may be initiated by the Government.

Naavi

Posted in Privacy | Leave a comment

Fraud by Apwety in connivance with Delhivery

I am enclosing the different comments of people on Facebook related to the fraud being committed by the company Apwety in connivance with Delhivery.

https://www.facebook.com/groups/1384918328774124/posts/1624552254810729/ 

The despatch was made in the name of Plasto Creative Solutions Pvt Ltd. and one Mr Prateek from this company has stated that Plasto Creative Solutions Pvt Ltd was his company which he has now transferred to another person. However Mr Prateek has not been sharing the information of the person who according to him is in control of the company.

Delhivery support has stated that they are only delivery agents and cannot take responsibility for the product. However they are responsible for assisting a fraudulent company and therefore can be held liable. 

I have tried to contact Mr Sahil Barua the  CEO of Delhivery and he is yet to respond. 

Apwety contact details available are 

Company Name: Yiwu Kangli Trading Co., Ltd. First Floor, Unit 2, Building 31, Qingkou South District, Jiangdong Street, Yiwu City, Jinhua City, Zhejiang Province: E-mail: support@dedseov.com: Tel: +917806800166

Plasto Creative Solutions  has the following contact details

B 128, First Floor, Sector-2, Noida, Gautam Buddha Nagar, Noida, Uttar Pradesh, India, 201201:  +91-9784540371:  admin@plastocreatives.com

Registered office: E-22 Sector A-5/6 TDS city (Tronica city)NA-Ghaziabad-Uttar Pradesh-201102-India

Delhivery has its headquarters at

Gurugram: Plot 5,sector 44 Gurgaon, Haryana – 122001 and has offices in many other cities.

Mr Deepak Kapoor  is the Chairman and Non-Executive Independent Director and  Mr Sahil Barua is the Managing Director.  The Company seems to have only “Independent Directors” and Mr Sahil Barua, Suraj Saharan and Kapil Bharati are the other non-independent Directors. This structure of designating every body as “Independent Directors” itself indicates avoidance of liability.

All the three companies  are jointly and severally liable for the fraud and I request police in UP to file a suomotu case on all the three companies so that this Chinese Company and  its agents in India are brought to book. 

MeitY also should consider blocking this website dedseov.com as a “Fraudulent Domain”.

The domain dedseov.com has been registered by Godaddy who is hiding the fraudster’s identity. By holding back the information of the registrant, Godaddy.com is also collaborating with this Chinese company and is co-responsible for the fraud. Send your complaint to abuse@godaddy.com

I request some body in UP to file a complaint with the Police so that the intermediaries who are assisting the Chinese company in this e-Commerce fraud are made to pay for their complicity.

Naavi

Posted in Privacy | Leave a comment